Then each one-time signature key must be generated twice, once for the MSS public key generation and once during the signing phase.

Also defined $\text{PRNG}$: $\text{Seed}_{\text{in}} \rightarrow (RAND, SEED_{\text{out}})$, where $\text{RAND}$ is a random number.

Finally, it describes an example of MSS + W-OTS. Here, $\text{SEEDOTS}_j$ is used to generate signature key $X_j = (x_{t-1},...,x_0)$ where $x_i$ are generated on $(x_i, \text{SEEDOTS}_j)=PRNG(\text{SEEDOTS}_j)$.

My question: How is possible generate the same key for public key generation and during the signing phase, for each one-time signature key, if $x_i$ is random (by definition of $\text{PRNG}$)?

1 Answer
1

Probably it's possible because they are using a deterministic pseudorandom random number generator (PRNG) to generate these values, as a deterministic function of some seed, which is remembered by the holder of the private key.